AC.L2-3.5.3[a]

Executive Summary (For Leadership and the Board)

CMMC objective AC.L2-3.5.3[a] sits inside the Identification & Authentication domain (IA.L2-3.5.3 — Multifactor Authentication) and reads: Multifactor authentication is implemented for access to privileged accounts.. Require MFA (something you know + something you have/are) for all privileged account access. Single-factor authentication for admin accounts is a critical vulnerability. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.

Under DFARS 252.204-7012, AC.L2-3.5.3[a] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.